3 Answers
3

What you could look at doing is locking down the SOE so tight that they only way they can use there machine outside of the office to access the internet is to force them though your VPN so they are using your corporate proxy system(ISA/Bluecoat). By doing that if then it should be able to setup restrict access to sites around the points you have stated and you can track what they do.

If you are using Windows then you can use AD group policy to lock down there system, make sure they do not have admin rights to there machines(even use UAC to really lock the system down so tight that all they can do is open programs that are installed thought something like SCCM). Lock out access to the BIOS, this would mean they could not boot off other media to try and bypass any of the restrictions you have put in place. These are some basic ideas on what you can do.

But the one thing that is very important is to have a very well worded and clean computer user policy that states what the punishments will be if any breaches are proven.

You also need to understand what the law is around privacy as you could find that what you would like to do can not be done due to some law. So you need to make sure you have the companies ass well covered in this regards, as if you fire someone for something and then they find out you broke the law in the way you found out they had breached some policy then your company could be taken to court. As an example where I live what people view on the internet and the emails they send are considered to be private whether it be from there home machine or there work computer.

thanks for this. I will update my OP to include important details your answer brings out, such as that there is no willingness to depart from MS OS and having at least some users having local admin priveleges. See my update in a few minutes.
–
Detritus MaximusOct 5 '11 at 0:25

you said a "policy that states what the punishments will be." You mean the usual "up to and including termination may result" is not best?
–
Detritus MaximusOct 5 '11 at 0:46

1

If there is a requirement for some users to have local admin then it is going to he very hard for you to track what they do. If the have the ability to install application such as Truecrypt(to hide data on there computer) Eraser(secure data wiping program) and Chrome with clickandclean(this is a Chrome addon that allows for a 7 pass DoD with of all browser data) well you know what this means to what you are after. And to answer you question yes it would be the norm that would include loss of there job.
–
enterzeroOct 5 '11 at 0:52

What your management is looking for is essentially a technical solution to an HR problem. You are usually better off just having policies in place governing the use of work computers for personal use and leaving it at that.

However, if you've been tasked with investigating a user for potential violations of the policies (looking for a job is ludicrous BTW), then you can forensically look at the person's laptop which involves all sorts of fun things:

File deletion/recovery

Recovering internet usage data

Preservation of original data

Chain of custody rules

The list goes on and on and this type of forensics usually occurs when an actual, you know, CRIME has taken place, not a violation of a policy. I have to ask, is it really necessary to go through all of this for what is presumably an at will employee?

There are software solutions available to catch users in the act like Spector Pro, which I've had the misfortune of having to use.

This not a problem that has a technical solution. If there is a policy in place, and the user violates it (which is later discovered by normal, casual, non-forensic means), they are terminated. If a company really wants to get rid of someone they will find a way that generally does not result in them getting sued (which a policy that is worded like this may open them up to if they decide to enforce it), and there are much easier ways to terminate someone than trying to enforce and track remote laptop usage. The users being local admins, with unsupervised and exclusive physical access to the laptop just negates any technical controls you could put into place that would even make it worth your time trying to implement a technical solution to this.

Having a policy that says they can use it for personal use "except for..." is even more ridiculous. It is much easier for the policy to state that it can't be used for personal use period.

The trend in remote laptop usage is more focused around protecting the data on the laptop from falling into the wrong hands in the event it is lost or stolen which involves hard disk encryption usually.

One method that may or may not work for your org is to have no actual data or applications stored on the laptop, but have the user only use it as a VPN client to remote back to the office into a VM or terminal server to do all of their work. Their activity is much more easily tracked when all of their activity is going through the office, and if they don't login or have much activity after they do, then they probably aren't working (kind of an inverse to the policy your company is looking at). Also, if the laptop is lost or stolen, there is minimal impact to the company since there was no data on it to begin with. This of course, depends on what kind of work they are doing and if their job requires working with no internet access.